Tuesday, January 10, 2006

FreeBSD 6.0 - /etc/hosts.allow - getaddrinfo Problem

I recently built a new machine with FreeBSD 6.0. I began noticing problems with remote SSH. I could ssh to the machine from some locations, but not others. I took a look at the /var/log/auth.log and saw:

Jan 10 10:44:18 lenny sshd[34901]: warning: /etc/hosts.allow, line 35: can't verify hostname: getaddrinfo(ppp-xxx-xxx-xxx-xxx.ded.pacbell.net, AF_INET) failed
Jan 10 10:44:38 lenny sshd[34901]: refused connect from xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)

I did some digging on Google, and realized I should look at the line being mentioned in the log error.

Line 35 (and a couple lines prior) from /etc/hosts.allow:

# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny

(You can read the RFC931 if you so desire)

I quickly did a reverse and foward DNS lookup on the gateway IP/name I was coming from. Sure enough, there was a reverse entry, but not a forward entry. Since they didn't match, it was failing this line in /etc/hosts.allow.

I commented out the line, and everything started working properly. Another solution would be to fix the DNS issue with the gateway I am currently behind... but that won't always be an option. I feel that my SSH is fairly well protected, since I am running DenyHosts.

I now get the following errors, which are still a little more paranoid than may be necessary:

Jan 10 11:17:55 lenny sshd[35544]: warning: /etc/hosts.allow, line 39: can't verify hostname: getaddrinfo(ppp-xxx-xxx-xxx-xxx.ded.pacbell.net, AF_INET) failedJan 10 11:17:55 lenny sshd[35545]: reverse mapping checking getaddrinfo for ppp-xxx-xxx-xxx-xxx.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT!
Jan 10 11:17:55 lenny sshd[35544]: reverse mapping checking getaddrinfo for ppp-xxx-xxx-xxx-xxx.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT!
Jan 10 11:17:57 lenny sshd[35544]: Accepted keyboard-interactive/pam for xxxxxxxxx from xxx.xxx.xxx.xxx port 38708 ssh2


Overall its another great example of how FreeBSD tries to be secure out of the box, and keep people from getting themselves hacked.

posted by Dave @ 11:18 AM   0 comments

0 Comments:

Post a Comment

<< Home